Risk acceptability alignment between ISO 14971 and IEC 62304

#1
I'm working on a risk management process for medical device software development and have a question re risk acceptability. In clause 4.3 of IEC 62304:2006 AMD1:2015, software is classified as B or C if it results in "unacceptable risk." It doesn't state that the unacceptable risk must be mitigated as long as the category B or C is used in the development process. However, under ISO 14971, if we analyze the same software risks as in our safety classification, using the same criteria for risk acceptability, then any unacceptable risk must be mitigated through risk controls or redesign. So, how in practice could any software be left at a B or C safety class if the "unacceptable" risk must be mitigated under ISO 14971 requirements? It seems like a bit of a conundrum.
 
Elsmar Forum Sponsor

blah01

Involved In Discussions
#2
Depends on the effect of the risk controls you implement. When talking about risks (i.e. harm to the user) you need to identify the probability of the harm occurring and the severity of the harm. If you are able to reduce the severity of the harm through risk controls then yes you could potentially change the safety class of that risk factor, but not all risk controls result in reducing the severity of the risk. Note that IEC 62304 4.3.a does state "which results in unacceptable RISK after consideration of RISK CONTROL measures". Therefore it's the residual risk (per ISO 14971) that then determines the safety class of the identified risk.

That's my interpretation anyhow and how I've implemented it.
 
#3
Thanks Marc, I appreciate these insights. What is your usual approach to the sequence of safety classification vs software risk analysis activities? My interpretation would be to perform the software safety classification before ISO 14971 software risk analysis, because safety class (per clause 7 of IEC 62304) determines the level of risk management activities required. For example, safety class A software does not require any of the risk management activities.
 

Tidge

Involved In Discussions
#5
What is your usual approach to the sequence of safety classification vs software risk analysis activities? My interpretation would be to perform the software safety classification before ISO 14971 software risk analysis, because safety class (per clause 7 of IEC 62304) determines the level of risk management activities required.
My development projects that include software with ME devices start with a Hazard Analysis to see if the software can either contribute to unacceptable risks or will be allocate some element of controlling unacceptable risks. This is done before trying to evaluate the effectiveness of any non-software risk controls. So we don't do this before starting our 14971 process, but rather as part of the process.

Sidebar: The 'sub-process' step in the diagram of 4.3 is IMO deceptive, because it implies that a rather complete evaluation of all non-software risk control measures is to be done before entering the medical software development process. Except for the circumstance where the initial design has a clear allocation and segregation of risks arising (between hardware and software) from the device (the first decision diamond in 4.3) , this isn't practical: modern ME devices with software generally have parallel development between hardware and software elements. A further complication is that the FDA guidance requires determination of the "Level of Concern" prior to the implementation of risk controls; it would be disadvantageous to have to generate a different set of deliverables for an FDA submission and European registration.

With a preliminary Hazard Analysis (an early step in our 14971 process), the determination of classification is possible.

For example, safety class A software does not require any of the risk management activities.
I don't think it is precisely correct to say this. It is true that there are fewer required development deliverables for class A, but unless there literally is no "P1" for a software failure the only way you could claim that Class A software doesn't result in unacceptable risk would be to do the RM activities to support this conclusion.
 
#6
Great. Thanks again for the input. These are fairly abstract concepts so it's really valuable to hear examples of how they are applied in practice.
 

blah01

Involved In Discussions
#7
So we don't do this before starting our 14971 process, but rather as part of the process.
Agreed. For me doing risk assessment per ISO 14971 comes first keeping in mind that during the development phase of a product that the evaluation of effectiveness of risk controls can be an iterative process. In regards to the diagram in 4.3 of 62304 I simply see this as a high-level summary of 14971 actually with the resulting output being the classification of software system(s) in your product.

I don't think it is precisely correct to say this. It is true that there are fewer required development deliverables for class A, but unless there literally is no "P1" for a software failure the only way you could claim that Class A software doesn't result in unacceptable risk would be to do the RM activities to support this conclusion.
Agreed once again. One thing to note is that 14971 4.1 requires that results of the risk analysis be recorded in the risk management file; should that analysis conclude that no foreseeable hazards exist, that in itself needs to be recorded, and in effect, is part of RM activities.

Hope this helps.
 
Thread starter Similar threads Forum Replies Date
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
I Is risk acceptability really needed if all risks must be reduced as far as possible? ISO 14971 - Medical Device Risk Management 6
A Risk Acceptability Criteria - Probability and Acceptability Level ISO 14971 - Medical Device Risk Management 1
K What is the policy for Risk Acceptability per ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 2
Sam Lazzara ISO 14971 Clause 7 - Evaluation of Overall Residual Risk Acceptability ISO 14971 - Medical Device Risk Management 3
M How to create the Policy for determining criteria for Risk Acceptability ISO 14971 - Medical Device Risk Management 11
B Residual Risk Acceptability - Where do I get this Data/Figures from? CE Marking (Conformité Européene) / CB Scheme 9
A How to Rate a Risk Acceptability and on What Basis is it Measured? ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 7
A Correlating Hazard Analysis and DFMEA Risk Acceptability Criteria FMEA and Control Plans 8
T Defining Criteria for Risk Acceptability - ISO 14971 Clause 3.2 ISO 14971 - Medical Device Risk Management 4
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 7
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 5
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 14
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
DuncanGibbons Classification of aerospace parts depending on their risk and criticality etc. Federal Aviation Administration (FAA) Standards and Requirements 3
D Performance specification as a Risk Control Measure, EN 14971 ISO 14971 - Medical Device Risk Management 7
M Risk Classification For Supplier - Clinical Research Organisation (CRO) Supply Chain Security Management Systems 3
Sidney Vianna IAQG SCMH explains "positive risk"..........but does it? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
MrTetris Unacceptable risk and information for safety ISO 14971 - Medical Device Risk Management 16
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 0
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
D Reduction of software class based on multiple external risk controls IEC 62304 - Medical Device Software Life Cycle Processes 5
N Risk Management besides mandated FDA requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
M An example of risk analysis of class I MD ISO 14971 - Medical Device Risk Management 36
M Identifying Hazards - Risk management process ISO 14971 - Medical Device Risk Management 6
M Risk and Corrective actions - Currently no FMEA's - Car systems Risk Management Principles and Generic Guidelines 8
Similar threads


















































Top Bottom